Entourage 2004 includes new tools that allow you to attach a digital ID to your messages (which verifies that a message is from you), and to encrypt messages so they can’t be read unless the recipient has the right digital key to unlock their contents. Let’s talk about email security a bit before we dive into those new features.
You know, there’s not enough stress in the world. Just when we thought it was safe to sit down at the keyboard, security geek doom-sayers tell us that our email is horribly insecure, because it’s normally sent as plain text across a network or the Internet. Evildoers can intercept your mail in transit and read it, or they can even fake your identity and send messages that appear to be from you.
Well. As if you needed something else to pump up your paranoia level. Is your mail really that subject to attack? Are cybercriminals preying on you even as you read this? Should you spend nights awake in bed worrying? Uh, no.
First, the bad news: those security geeks are correct, at least in terms of the capabilities of the bad guys. Whether those bad guys are an evil hacker sucking down his 25th Mountain Dew of the day, or the U.S. National Security Agency, if someone is motivated enough to get at your email as messages are sent or received, they can probably do so.
But the real questions are how likely it is that your email is being compromised and what’s the liability if someone does read your mail. To answer these questions, ask yourself how important your email is. There’s little incentive for someone to snoop on your conversations with your Aunt Tillie, and there’s little or no downside if they did. But if you regularly discuss confidential business plans, or work on national security documents, then you have legitimate concern for the security and safety of your email. In my opinion, most people shouldn’t worry. I’ve sent tens of thousands of email messages in the past 20 years, since I bought my first Mac. Besides test messages when I was writing about software, I’ve encrypted exactly three messages in all that time (because I belonged to a bulletin board service that had a system operator I didn’t trust). You’ll need to evaluate the potential importance of your email to other people, and decide if taking security measures is worth the extra effort.
Secure email uses public-key cryptography, which was introduced in 1976. Explaining public-key cryptography is outside (way outside) the scope of this book. But the basic principle is easy to understand. You encrypt (scramble) information with an encryption key so that it can’t be read except by the intended recipient, who will use a decryption key to unscramble the message.
Public-key cryptography uses a matched pair of encryption and decryption keys, a public key, which can be shared freely, and a private key, which is securely stored on the recipient’s computer. To send a secure message, you encrypt the message with the intended recipient’s public key, which he has previously given to you. When he receives the encrypted message, he must use his private key to decrypt it. No one else can read the message, since only the recipient has the appropriate private key.
Note
You can learn more about public key encryption at many Web sites. Try these sites first:
http://developer.netscape.com/docs/manuals/security/pkin/
Before you can send secure email, you must contact a certification authority to obtain a digital ID. A certification authority is a business that provides and manages security credentials. (These credentials are used most often to provide secure connections between Web servers and browsers for online transactions. When you buy something online and you see the little padlock icon in your browser window, a set of digital security credentials are being used behind the scenes.) Some certification authorities issue digital IDs for use in sending and receiving secure email. The digital ID is associated with a single email address, and contains a certificate (a public key) and a private key. These keys are added to the Mac OS X Keychain on your computer, and accessed by Entourage.
You may get your digital ID from your employer. If you obtain your own, I suggest that you get a Thawte Personal Email certificate (http://www.thawte.com/email/). This certificate is free; other certification authorities charge an annual fee for digital IDs.
Warning
If you obtain a Thawte digital ID, get the “Netscape Communicator” ID. The ones for Internet Explorer, Outlook Express, or Outlook won’t work on the Mac.
The registration process for obtaining a digital ID can take up to a day. When I acquired my digital ID from Thawte, an email directed me to a Web page that had a link to the digital ID. Clicking the link installed the ID into my computer’s Keychain.
You can send two types of secure email with Entourage 2004:
Digitally signed email: assures the recipient that the message is actually from you. A digitally signed message is signed using your private key, and contains the name of the certification authority that issued the ID, a serial number for the ID, and your public key. The recipient’s software verifies that the public key matches the private key that was used to sign the message. All digitally signed mail includes an attachment, in S/MIME format, that contains the digital signature. S/MIME is a protocol that adds security features to MIME, the standard mail format that allows email file attachments.
Note
If you receive a signed email message, Entourage correctly interprets the S/MIME attachment, and does not show the paperclip that you usually see with file attachments. Some other email programs don’t understand S/MIME attachments, and display the attachment with the name smime.p7s. Such programs likely won’t be able to understand the fact that the message was signed at all.
Encrypted email: can’t be read by anyone except the intended recipient. You must have each recipient’s public key, which can be added to her entry in Entourage’s Address Book. Entourage encrypts the message using the recipient’s public key. When she gets the message, she uses her private key to decrypt it.
Once you obtain a digital ID, you need to associate it with the email account you designated for use with that ID using the new Security tab in the Edit Account dialog. Follow these steps:
Choose Tools > Accounts.
In the Accounts window, double-click the account to which you want to attach the digital ID.
In the Edit Account dialog, click the Security tab.
In the Signing Certificate section, click the Select button.
In the Signing Certificate dialog, choose the digital ID from the pop-up menu.
If the pop-up menu lists more than one digital ID and you’re not sure which one to use, click the View Certificate button to display the security certificate, which contains the name of the email address embedded in that certificate.
Click the Choose button to return to the Edit Account dialog.
Choose one or more of the signing options:
Digitally Sign All Outgoing Messages by Default: This will add your digital signature to every outgoing message (you can turn this on or off for individual messages).
Include My Certificate When Sending Signed Messages: This will include your public key with all messages that you have digitally signed.
Send Clear Text Signed Messages When Sending Signed Messages: This option enables people with email programs that don’t support secure messages to read the message, though they can’t verify that it came from you. If you uncheck this option, only recipients with secure email programs can read the message.
In the Encryption Certificate section, click the Select button.
In the Encryption Certificate dialog, choose the digital ID from the pop-up menu, then click the Choose button to return to the Edit Account dialog.
If desired, check the box for Encrypt Contents and Attachments for All Outgoing Messages by Default. With this box checked, recipients of your messages will be unable to read them unless you have previously sent them your public key.
Click OK.
Once you’ve obtained your digital ID and set up Entourage to use it, sending secure mail is almost anticlimactic. To send a signed or encrypted message, compose a new message. Then, before sending the message, do one of the following:
Choose Message > Security, then choose either or both choices (Digitally Sign Message or Encrypt Message).
From the message’s toolbar, choose Options > Security, then choose either or both of the security options.
After setting the security options you want, send the message as usual.
When you open an encrypted message, Entourage decrypts and displays the message. When you get a message that has been digitally signed, Entourage uses the attached certificate to validate the private key that the sender used to digitally sign the message. Entourage lets you know that a message is secure by using the yellow Info Bar at the top of the message to state if the message has been digitally signed, encrypted, or both. Click the View Details link in the Info Bar to check the security details, as shown in Figure 5 (next page).
You can add the encryption certificate for a contact to their entry in the Entourage Address Book by clicking the Add to Contacts button in this dialog.
To check the sender of the email, click the Details tab. You’ll see the email address associated with the attached security certificate, and when the message was signed.